Internet Explorer 11 is not supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Denver Lacks Comprehensive Approach to Cybersecurity, Auditor Finds

The city’s approach to cybersecurity risks is at best “informal,” according to Denver’s auditor. Mandatory training is often skipped and oversight of some facilities is lax.

US-NEWS-DENVER-CYBERSECURITY-DP
Colorado Mayor Mike Johnston on July 25, 2023, in Denver. (RJ Sangosti/The Denver Post/TNS)
RJ Sangosti/TNS
Denver lacks a comprehensive program to assess potentially disastrous cybersecurity risks, City Auditor Tim O’Brien said in a new report.

The city’s current approach can best be described as “informal,” O’Brien said, particularly when it comes to oversight of independent city agencies or cultural facilities — like the Denver Art Museum and Denver Zoo — that operate on subnetworks tied into the city’s broader system.

O’Brien cataloged his office’s findings in an audit report released Thursday.

The report is the product of a review of city data, processes and planning efforts over two years — from Jan. 1, 2022, through Dec. 31, 2023.

The audit team found that city staff did not consistently complete quarterly mandatory cybersecurity training. The city also lacks a specific training regime for employees responsible for citywide information technology risk management.

O’Brien is urging Denver Technology Services — the city department tasked with overseeing and managing all physical and virtual technology that touches the city’s network — to overhaul its approach and create clear guidelines for how every wing of city government handles data and technology risks.

“Through awareness of cybersecurity risks and clear expectation-setting for appropriate use of technology, the city can trust its employees to do their part in protecting data and information,” O’Brien said in a statement.

The auditor’s office recommended seven steps that Technology Services should take to remedy Denver’s shortcomings.

Those include:

  • Developing a citywide risk assessment process

  • Developing risk management training

  • Creating information-exchange agreements that would require independent agencies and facilities to share information about high-level technology risks with the department

Sumana Nallapati, Denver’s chief information officer, accepted all seven recommendations in a response letter sent to the auditor’s office on June 7. Mayor Mike Johnston hired her in September.

Many facets of what O’Brien recommends are already underway, Nallapati wrote in her response letter.

“(Technology Services) intends to create a robust and holistic organizational risk management structure identifying roles, responsibilities, documentation, risk assumption, identification of training for necessary roles and escalation processes associated to technical risk,” Nallapati wrote in part.

Her letter acknowledged the administration’s limited power to influence independent city agencies. While Technology Services accepted the recommendation to pursue information exchange agreements, Nallapati wrote that her department plans to reach out to independent agencies to see whether they would be willing to sign memorandums of understanding — or MOUs — focused on risk assessment.

“(Technology Services) cannot commit to a completion date for any such efforts, or that a successful MOU will ever be reached,” she wrote.

The audit report cites officials with Denver County Court as specifically asserting that they have the legal authority to operate independently as the judicial branch of city government. Court officials argue that they should not be required to formally communicate potential cybersecurity risks to Technology Services, the report says.

“But this assertion of independence with limited collaboration undermines the greater good of protecting the city from costly and damaging cyber attacks…” the audit team wrote.

Denver’s approach leaves the city more vulnerable to equipment failures, service disruptions and cyber attacks, the auditor’s office found. Those risk factors could cost Denver millions of dollars per day if any of them were ever to lead to full city network failure, according to the report.

In a statement to The Denver Post, Nallapati said her department is “committed to working across the city enterprise on continuous improvement of technology risk management strategies.”

Colorado has seen its share of high-profile cyber attacks in recent years.

In 2018, a ransomware attack temporarily knocked the Colorado Department of Transportation’s back-end operations offline. It cost the state between $1 million and $1.5 million just to bring the agency’s functionality back to 80 percent of normal in the months that followed.

Earlier this year, a cyber attack hobbled the Office of the Colorado State Public Defender and delayed hundreds of court hearings. The agency acknowledged that personal data including clients’ Social Security numbers may have been compromised during that episode.

©2024 MediaNews Group, Inc, Distributed by Tribune Content Agency, LLC.